IIS authentication with weblogic

I am trying to use IIS authentication with my ADF application deployed on weblogic. Is there any documentation for this?
I want to use windows authentication with IIS. So users should not get any prompt for username / password to the application after they loggen in their windows machine.
It should be like intranet ADF application.
Thanks

I am trying to use IIS authentication with my ADF application deployed on weblogic. Is there any documentation for this?
I want to use windows authentication with IIS. So users should not get any prompt for username / password to the application after they loggen in their windows machine.
It should be like intranet ADF application.
Thanks

Similar Messages

  • How to configure IIS webserver with weblogic so that I can invoke servlets without the .wlforward extension

    How to configure IIS webserver with weblogic so that I can
    invoke servlets without the .wlforward extension
    As per the documentation iisforward.dll is registered as a filter and .wlforward
    has also been
    included as a special file type. However this requires me to key-in ".wlforward"
    after my servlet name.
    What I want is something like this
    http://iis/MyServlet
    Please help me find a solution to this
    Thanks,
    Rishi

    I am able to invoke the servlet without the wlforward extension now.
    However, now I am required to add /weblogic before the servlet
    name otherwise it does not execute the pathtrim property.
    I have tried with the pathprepend thing also.
    Can we get rid of the /weblogic part also. I just want to execute
    my servlet as http://iis/myServlet.
    Your help in this regard is greatly appreciated...
    Thanks..
    "Rishi" <[email protected]> wrote:
    >
    Thanks for the reply Kumar.
    I did follow the instructions as given in the Weblogic documentation
    The documentation said to add iisforward.dll as a filter service
    and register .wlforward as a special
    file type to be handled by iisproxy.dll. For this,
    while configuring the IIS server in the Home Directory tab
    I added an extension ".wlforward" and the executable as
    iisproxy.dll. Is this the way it should have been done...
    I also modified the iisproxy.ini file as per the documentation.
    I have added the WLForwardPath property and set it to /weblogic.
    My server works fine when I give the url as
    http://iis/myServlet.wlforward
    but it does not work for
    http://iis/myServlet and this is the way i'd want it to work.
    Please tell me if I am missing something on the configuration part
    and if there is something special that needs to be done. I shall
    be grateful to you.
    Kumar Allamraju <[email protected]> wrote:
    http://e-docs.bea.com/wls/docs61/adminguide/isapi.html#101184
    Rishi wrote:
    How to configure IIS webserver with weblogic so that I can
    invoke servlets without the .wlforward extension
    As per the documentation iisforward.dll is registered as a filter
    and
    .wlforward
    has also been
    included as a special file type. However this requires me to key-in".wlforward"
    after my servlet name.
    What I want is something like this
    http://iis/MyServlet
    Please help me find a solution to this
    Thanks,
    Rishi

  • IIS configuration with Weblogic 10gR3

    Hi All,
    We are using IIS 6.0 as the proxy server in our portal application. The portal server is Weblogic 10gR3. I have followed some documents to configure it. (http://download-llnw.oracle.com/docs/cd/E13222_01/wls/docs103
    /plugins/isapi.html). But I am not able to configure that. Can any body help me in configuring IIS server as a proxy server.
    Thanks & Regrads
    Abani R. Behera

    Configure IIS Plug-in with Weblogic Server
    1. Make a directory on the IIS box for the plug-in.
    For instance: c:\Inetpub\WLS_IIS_Plugin\
    2. Copy iisforward.dll and iisproxy.dll to this new directory.
    These files are located at:
    10.0: \wlserver_10.0\server\plugin\win\32
    10.3: \wlserver_10.3\server\plugin\win\32
    3. To install iisforward.dll as an ISAPI filter, do the following:
    Go to Start->Administrative Tools->Internet Information Services
    (IIS) Manager
    In the left pane, drill down to the active website
    (like "Default Web Site")
    Right-click the active website and select Properties
    Select the ISAPI Filters tab and press the Add button
    Filter name: WLS IIS Plugin
    Or whatever you want
    Executable: C:\Inetpub\WLS_IIS_Plugin\iisforward.dll
    Or whatever path you created
    Press OK twice
    IIS6 does not allow the iisforward.dll ISAPI Extension to run by default.
    To enable:
    In the left pane of the Internet Information Services (IIS) Manager,
    click on Web Service Extension (located under the computer name)
    In the right pane, highlight All Unknown ISAPI Extensions and press
    the Allow button
    4. To map .wlforward to use iisproxy.dll, do the following:
    a. In the left pane, drill down to the active website (like
    "Default Web Site")
    b. Right-click the active website and select Properties
    c. Select Home Directory tab
    d. Click the Configuration... button.
    e. In the Application Mapping tab, click the Add... button.
    a. Executable: C:\Inetpub\WLS_IIS_Plugin\iisproxy.dll
    b. Extension: .wlforward
    f. Uncheck Verify that file exists
    g. IMPORTANT: Ensure .wlforward is not mapped to iisforward.dll.
    While this seems intuitive, it is wrong. .wlforward maps to
    iisproxy.dll.
    h. Press OK three times
    i. Exit the IIS Manager MMC console.
    5. Create a text file named iisproxy.ini and place it in the plug-in
    directory (e.g. c:\Inetpub\WLS_IIS_Plugin\iisproxy.ini)
    iisproxy.ini
    WebLogicCluster=localhost:7001,localhost:7003
    WlForwardPath=/
    Debug=ALL
    DebugConfigInfo=ON
    WLLogFile=c:/temp/iisproxy.log
    6. Restart IIS using the following CLI statement: iisreset /restart
    7. Use a browser to access IIS. This will 'turn on' the IIS->WLS
    ISAPI filter.
    8. Relaunch the IIS Manager and check the ISAPI filter tab to ensure
    the iisforward.dll is now 'turned on', as evidenced by a green arrow.

  • JAAS authentication with WebLogic 6 - "Invalid Configuration Class Name"

    For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
    package, compiled, and copied it to the right place in the classes directory of the webapp project.
    The class is specified as a parameter in startWebLogic.cmd:
    -Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
    When a servlet attempts to get LoginContext, I get this error:
    "Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
    The class file is definitely in the right place. What's the deal?
    Thanks,
    Rob

    Seems to be a ClassLoader problem. The sample is a client app, so no problem. But if you create
    a Configuration class to run on the server (to set up a LoginModule for authenticating clients)...
    I think what's happening is that the System class loader, using the CLASSPATH in the environment
    of the WebLogic server when it starts, attempts to load the Configuration class and can't (because it
    is in the CLASSPATH of the web app, not of the System class loader). If you add the Configuration
    class to the CLASSPATH of the WebLogic server, then it gets loaded but the LoginModule can't be
    found. If you add the LoginModule to the WebLogic server CLASSPATH, then any classes that it calls
    must also be in the WebLogic server CLASSPATH.
    Could someone from BEA please comment: is that the intention, that any classes used for JAAS
    authentication be part of the server's CLASSPATH, not part of the web application?
    Thanks,
    Rob
    "Rob Weltman" <[email protected]> wrote:
    >
    For starters, I took the sample file examples.security.jaas.SampleConfig, changed the name and
    package, compiled, and copied it to the right place in the classes directory of the webapp project.
    The class is specified as a parameter in startWebLogic.cmd:
    -Dweblogic.security.jaas.Configuration="com.ww.opd.auth.JAASConfiguration"
    When a servlet attempts to get LoginContext, I get this error:
    "Invalid Configuration Class Name: com.ww.opd.auth.JAASConfiguration"
    The class file is definitely in the right place. What's the deal?
    Thanks,
    Rob

  • Reverse Proxying in IIS server with WebLogic Server 8.1

    Hi All,
    I have a customer who wants to know if we have an IIS server in DMZ (De-materialized Zone) that is used as a Reverse proxy server (server #1).
    He installed IISProxy.DLL and IISForward.DLL per PeopleSoft's and BEA instructions. They opened up a port to their PeopleSoft server (server #2) where their weblogic 8.1 is running the PeopleSoft Web server.
    From outside the city (i.e. from home) he can go to
    http://www.roundrocktexas.gov/PRTL9/signon.html and connect to their PeopleSoft 9 Enterprise Portal (so far so good). However, when he clicks on a link on his portal to go to a document or an application that is set up on another server (server #3, is an IIS web server) the link fails.
    If he is in intranet all links function properly and there is no problem.
    What he would like to be able to do is to be able to access the content on server #3 when logging in via the RPS (Reverse Proxy Server)(server #1) which is connecting him to server #2. As a test one of the non-PeopleSoft URLs that work internally is http://websrvr/fitness/login.asp. He is trying to connect from server #1 to it which resides on server #3 when he tries that he could not find file.
    I have gone through some of the links and I came to know that IIS does not support reverse proxying. I am not sure completely. For reverse proxying, we need to use ISA server (Microsoft Product) before IIS. Is this true?
    Is Reverse Proxying supported in IIS? If yes, can anyone suggest me what to do in the above scenario.
    Thanks,
    Sreedevi

    Your DOCTYPE references 2.4, it should be 2.3. WLS 8.1 supports J2EE 1.3 which was servlet 2.3.
    Servlet 2.4 is part of J2EE 1.4 and is supported by WLS 9.0/9.1. Also it uses XML Schema not a DTD.
    -- Rob
    WLS Blog http://dev2dev.bea.com/blog/rwoollen/

  • Safari for Windows will not log into IIS sites with Windows Authentication

    Safari for Windows will not log into IIS sites with Windows Authentication enabled. The IIS log has thousands of login attempts from Safari that result in 401 errors.
    I disable Windows Authentication on IIS and it works fine. The problem with that is that my Windows clients stop working properly with seemless logins when I disable this.
    The expected behavior is that Safari will work with basic authentication when NTLM does not work. That would result in a password prompt followed by a successful login instead of Safari stopping at "Loading" while hammering the IIS logs.
    It does this on all machines that I have tried.
    Any ideas or is this a bug?

    I noticed that as well. I have to wonder if it's due to not making note of the the different end of line characters between Mac OS X and Windows in code.

  • IIS 6 Plug-in with Weblogic 8.1

    Hello there,
    I am just wondering if there is anyone out there, who got IIS 6 plug-in working
    with WebLogic 8.1. Plug-in perfectly works with IIS 5. When we upgraded W2K to
    W2003 plug-in didn't work with Weblogic. If there is anyone who knows how to get
    this up and running, your help will be appreciated.
    Thank you.

    Hi Vishwas,
    Thank you for the reply. I forgot to mention that Apache and WebLogic are on Solaris 9 platform.
    Accesing a webapp hosted on WebLogic through Apache->plug-in->WebLogic return 500 internal server error, but other webapps hosted on the same WebLogic domain works properly. Looking at the Response Hdrs from WebLogic shows that WLS returns transfer-encoding=chunked. The other webapps which work properly has content-length set and transfer-encoding is not chunked.
    So, the question is does Apache Plug-in for weblogic 8.1 SP5 read the chunked data properly?
    Thanks,
    Janani

  • NT Authentication in Weblogic 6 with Windows 2000

    Has anyone had success getting the Ntrealm running on W2K with weblogic 6sp1?
    I set everything up according to the 6.0 docs (descibed below) and when I access
    my web application (that i'm protecting) the login prompt doesn't accept my NT
    login, but roles over to the fileRealm(weblogic realm), If I create the same
    login there (but say with a different password just to be sure which is which,
    I get accepted).
    Here's how I went about it:
    1) Installed WebLogic 6sp1 to run as an NT service on W2K Server sp1. Running
    as the local system account.
    2) Created an NTrealm (myNTRealm), set primary domain to the name of the W2k server
    (myServer), since i'm going to use a local nt account (testAccount, password=nt)
    to try and login. (also created a fileRealm login testAccount, password=weblogic)
    3) Created a Caching realm for the NTrealm (myNTCacheRealm), turned off Case-sensitive
    cache.
    4) Created a web application(testApp) with a single JSP file (test.jsp).
    5) Entered the following into the web.xml
    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
    "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
    <web-app>
    <display-name>testApp</display-name>
    <description>NTrealm security testing app</description>
    <servlet>
    <servlet-name>Test</servlet-name>
    <jsp-file>test.jsp</jsp-file>
    </servlet>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>EntireApp</web-resource-name>
    <description>Secures the entire Application</description>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <description>Roles valid for entire site</description>
    <role-name>secureUsers</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>basic</auth-method>
    <realm-name>myNTRealm</realm-name>
    </login-config>
    <security-role>
    <description>Web app security role</description>
    <role-name>secureUsers</role-name>
    </security-role>
    </web-app>
    6) And the following into the weblogic.xml file:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 2.2//EN"
    "http://www.bea.com/servers/wls600/dtd/weblogic-web-jar.dtd">
    <weblogic-web-app>
    <description>WebLogic Deployment Descriptor</description>
    <security-role-assignment>
    <role-name>secureUsers</role-name>
    <principal-name>testAccount</principal-name>
    </security-role-assignment>
    </weblogic-web-app>
    7) Everything deploys fine and when I point my browser to http://myServer:7003/testApp/test.jsp.
    The login prompt has:
    Site: myServer
    Realm: myNTRealm
    but the server doesn't accept my NT login+password testAccount+nt, but I can
    entered the weblogic login+password testAccount+weblogic and got in.
    Any ideas? I've spent just about all the time I care to on this one.

    "Barrett" <[email protected]> wrote:
    >
    Has anyone had success getting the Ntrealm running on W2K with weblogic
    6sp1?
    I set everything up according to the 6.0 docs (descibed below) and when
    I access
    my web application (that i'm protecting) the login prompt doesn't accept
    my NT
    login, but roles over to the fileRealm(weblogic realm), If I create
    the same
    login there (but say with a different password just to be sure which
    is which,
    I get accepted).
    Here's how I went about it:
    1) Installed WebLogic 6sp1 to run as an NT service on W2K Server sp1.
    Running
    as the local system account.
    2) Created an NTrealm (myNTRealm), set primary domain to the name of
    the W2k server
    (myServer), since i'm going to use a local nt account (testAccount, password=nt)
    to try and login. (also created a fileRealm login testAccount, password=weblogic)
    3) Created a Caching realm for the NTrealm (myNTCacheRealm), turned off
    Case-sensitive
    cache.
    4) Created a web application(testApp) with a single JSP file (test.jsp).
    5) Entered the following into the web.xml
    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
    2.2//EN"
    "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
    <web-app>
    <display-name>testApp</display-name>
    <description>NTrealm security testing app</description>
    <servlet>
    <servlet-name>Test</servlet-name>
    <jsp-file>test.jsp</jsp-file>
    </servlet>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>EntireApp</web-resource-name>
    <description>Secures the entire Application</description>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <description>Roles valid for entire site</description>
    <role-name>secureUsers</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>basic</auth-method>
    <realm-name>myNTRealm</realm-name>
    </login-config>
    <security-role>
    <description>Web app security role</description>
    <role-name>secureUsers</role-name>
    </security-role>
    </web-app>
    6) And the following into the weblogic.xml file:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application
    2.2//EN"
    "http://www.bea.com/servers/wls600/dtd/weblogic-web-jar.dtd">
    <weblogic-web-app>
    <description>WebLogic Deployment Descriptor</description>
    <security-role-assignment>
    <role-name>secureUsers</role-name>
    <principal-name>testAccount</principal-name>
    </security-role-assignment>
    </weblogic-web-app>
    7) Everything deploys fine and when I point my browser to http://myServer:7003/testApp/test.jsp.
    The login prompt has:
    Site: myServer
    Realm: myNTRealm
    but the server doesn't accept my NT login+password testAccount+nt, but
    I can
    entered the weblogic login+password testAccount+weblogic and got in.
    Any ideas? I've spent just about all the time I care to on this one.
    Have you specified the Cacheing Realm on the Security tab?
    i.e. Change it from '(none)' to 'myNTCacheRealm'

  • Has anyone used JAAS with WebLogic?

    Has anyone used JAAS with Weblogic? I was looking at their example, and I have a bunch of questions about it. Here goes:
    Basically the problem is this: the plug-in LoginModule model of JAAS used in WebLogic (with EJB Servers) seems to allow clients to falsely authenticate.
    Let me give you a little background on what brought me to this. You can find the WebLogic JAAS example (to which I refer below) in the pdf: http://e-docs.bea.com/wls/docs61/pdf/security.pdf . (I believe you want pages 64-74) WebLogic, I believe goes about this all wrong. They allow the client to use their own LoginModules, as well as CallBackHandlers. This is dangerous, as it allows them to get a reference (in the module) to the LoginContext's Subject and authenticate themselves (i.e. associate a Principal with the subject). As we know from JAAS, the way AccessController checks permissions is by looking at the Principal in the Subject and seeing if that Principal is granted the permission in the "policy" file (or by checking with the Policy class). What it does NOT do, is see if that Subject
    has the right to hold that Principal. Rather, it assumes the Subject is authenticated.
    So a user who is allowed to use their own Module (as WebLogic's example shows) could do something like:
    //THEIR LOGIN MODULE (SOME CODE CUT-OUT FOR BREVITY)
    public class BasicModule implements LoginModule
    private NameCallback strName;
    private PasswordCallback strPass;
    private CallbackHandler myCB;
    private Subject subj;
             //INITIALIZE THIS MODULE
               public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
                      try
                           //SET SUBJECT
                             subj = subject;  //NOTE: THIS GIVES YOU REFERENCE
    TO LOGIN CONTEXT'S SUBJECT
                                                     // AND ALLOWS YOU TO PASS
    IT BACK TO THE LOGIN CONTEXT
                           //SET CALLBACKHANDLERS
                             strName = new NameCallback("Your Name: ");
                             strPass = new PasswordCallback("Password:", false);
                             Callback[] cb = { strName, strPass };
                           //HANDLE THE CALLBACKS
                             callbackHandler.handle(cb);
                      } catch (Exception e) { System.out.println(e); }
         //LOG THE USER IN
           public boolean login() throws LoginException
              //TEST TO SEE IF SUBJECT HOLDS ANYTHING YET
              System.out.println( "PRIOR TO AUTHENTICATION, SUBJECT HOLDS: " +
    subj.getPrincipals().size() + " Principals");
              //SUBJECT AUTHENTICATED - BECAUSE SUBJECT NOW HOLDS THE PRINCIPAL
               MyPrincipal m = new MyPrincipal("Admin");
               subj.getPrincipals().add(m);
               return true;
             public boolean commit() throws LoginException
                   return true;
        }(Sorry for all that code)
    I tested the above code, and it fully associates the Subject (and its principal) with the LoginContext. So my question is, where in the process (and code) can we put the LoginContext and Modules so that a client cannot
    do this? With the above example, there is no Security. (a call to: myLoginContext.getSubject().doAs(...) will work)
    I think the key here is to understand JAAS's plug-in security model to mean:
    (Below are my words)
    The point of JAAS is to allow an application to use different ways of authenticating without changing the application's code, but NOT to allow the user to authenticate however they want.
    In WebLogic's example, they unfortunately seem to have used the latter understanding, i.e. "allow the user to authenticate however they want."
    That, as I think I've shown, is not security. So how do we solve this? We need to put JAAS on the server side (with no direct JAAS client-side), and that includes the LoginModules as well as LoginContext. So for an EJB Server this means that the same internal permission
    checking code can be used regardless of whether a client connects through
    RMI/RMI-IIOP/JEREMIE (etc). It does NOT mean that the client gets to choose
    how they authenticate (except by choosing YOUR set ways).
    Before we even deal with a serialized subject, we need to see how JAAS can
    even be used on the back-end of an RMI (RMI-IIOP/JEREMIE) application.
    I think what needs to be done, is the client needs to have the stubs for our
    LoginModule, LoginContext, CallBackHandler, CallBacks. Then they can put
    their info into those, and everything is handled server-side. So they may
    not even need to send a Subject across anyways (but they may want to as
    well).
    Please let me know if anyone sees this problem too, or if I am just completely
    off track with this one. I think figuring out how to do JAAS as though
    everything were local, and then putting RMI (or whatever) on top is the
    first thing to tackle.

    Send this to:
    newsgroups.bea.com / security-group.

  • OAM (10.1.4.3) Integration with WebLogic App Server (10.3.0 or below)

    Hi All,
    Can I use OAM 10.1.4.3 (Authentication Provider & Identity Asserter) to implement SSO with weblogic App Server 10.3.0 or below?
    OAM 10.1.4.3 Authentication Provider & Identity Asserter is the recommended way to configure SSO with Web Logic App server 10.3.1 ( Oracle Middleware 11g).
    And
    OAM 10.1.4.2 uses WebLogic SSPI to configure SSO between OAM 10g and WebLogic App Server 10.3.0 or below.

    Hi,
    This is how the integration goes with different versions of WLS and OAM.
    There is oamAuthnProvider.jar available with OAM 10.1.4.3 downloads. So it provides the assertion functionality.
    Can I use OAM 10.1.4.3 (Authentication Provider & Identity Asserter) to implement SSO with weblogic App Server 10.3.0 or below?
    Mahendra: Yes
    OAM 10.1.4.3 Authentication Provider & Identity Asserter is the recommended way to configure SSO with Web Logic App server 10.3.1 ( Oracle Middleware 11g).
    Mahendra: Yes, this is the recommended and easy approach.
    OAM 10.1.4.2 uses WebLogic SSPI to configure SSO between OAM 10g and WebLogic App Server 10.3.0 or below.
    Mahendra: Yes, older version of OAM uses SSPI connector installation.
    HTH.
    Mahendra.

  • LDAP security authentication in weblogic sp4 (URGENT)

    We have a web application which interacts to the D/B to authenticate a user during our login process. Now we are trying to change the login to LDAP authentication. Here is the List I did on weblogic configuration correct me if this is correct or if am missing any thing.
    1. Created a Realm
    2. Created a NOVELL LDAP Authenticator (configured user, groups, members, Novell LDAP, Details)
    3. Created a X.509 certificates ????? Do I need to create this one for authentication. The only question is I am confused by these parameters and help me out in figuring out these:
    a. filter attributes = cn=$subj.cn
    b. username attribute = cn
    c. userCertificate;binary ??? ( I have a certificate idmtree.der where do I add configuration about this certificate in the console)>>>>>>>>
    d. certificate mapping : ou=user,ou=$subj.ou,o=$subj.o,c=$subj.c (IS THIS CORRECT)
    4. created a new Weblogic Default Authorizer...
    5. created a new Weblogic Default Role Mapper...
    6. created a new Weblogic Default Credential Mapper ...(Do I need to setup my certificate inside this credential mapper or not.)
    7. I made this realm as the DEFAULT realm and started the server
    I get the following exception.
    Initializing RoleMapper provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift.>
    The RoleMapper provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift>
    Initializing Authorizer provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift.>
    The Authorizer provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift>
    Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
    Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
    Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
    Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
    Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure.>
    Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
    [java.lang.reflect.InvocationTargetException - with target exception:
    [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
    weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
    [java.lang.reflect.InvocationTargetException - with target exception:
    [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
    at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:205)
    at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:262)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java:581)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:420)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm(SecurityServiceManagerDelegateImpl.java:700)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:733)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize(SecurityServiceManagerDelegateImpl.java:876)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:734)
    at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:822)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:670)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:344)
    at weblogic.Server.main(Server.java:32)
    >
    ####<Apr 6, 2006 10:42:55 AM CDT> <Emergency> <WebLogicServer> <DXPCHI029398> <myserver> <main> <<WLS Kernel>> <> <BEA-000342> <Unable to initialize the server: weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
    [java.lang.reflect.InvocationTargetException - with target exception:
    [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]>
    ANY HELP on this would be greatly appreciated am totally exhausted seeing these error messages from morning.
    I would like to know if I need a client for connecting to this LDAP authenticator. As am using the Novell API to access the LDAP directory. Let me know, and if so can some one provide me a snippet code.\
    Waiting for response.
    thanks in advance
    kiran

    Hi Christoper,
    Based on your description, this seems to be more of a security related question than a workshop one.
    Please post to the security newsgroup at http://forums.bea.com/bea/category.jspa?categoryID=2011
    with information on service pack installed
    Thanks
    Raj

  • Policy agent 2.2 amfilter local authentication with session binding failed

    Hi All,
    I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
    Here is the error I got:
    10.4.4 403 Forbidden
    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
    Here is the error I found from agent log file, amFilter:
    AmFilter: now processing: SSO Task Handler
    05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
    05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
    05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: now processing: J2EE Local Logout Task Handler
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: local logout skipped SSO User => amAdmin, principal =>null
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: now processing: J2EE Local Auth Task Handler
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    LocalAuthTaskHandler: doing local authentication with session binding
    05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
    05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: result =>
    FilterResult:
         Status      : FORBIDDEN
         RedirectURL     : null
         RequestHelper:
              null
         Data:
              null
    -----------------------------------------------------------

    Hi,
    I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
    ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
    java.lang.IllegalStateException: invalidate: Session already invalidated
    at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
    at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
    at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
    at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
    at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
    at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
    at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
    at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
    at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
    FilterResult:
    Status : FORBIDDEN
    RedirectURL : null
    RequestHelper:
    null
    Data:
    null
    Also, we I debug I see:
    LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
    Did you receive any solution for this?
    Many, many thanks,
    Philip

  • OBIEE 11.1.1.6 problems with weblogic user

    Hi,
    I have set my Active Directory provider access in OBIEE 11.1.1.6, it's working fine for all my users in my active directory, but I can't open my repository online or access answers with weblogic user. My control flag is optional btw.
    Anybody knows why and how to solve it?
    Great thanks

    Hello,
    Which authenticator provider is set to optional .? and which one is set to sufficient .?
    Also are you using the BISystemUser (default weblogic one) as the trusted user or have you created a user named BISystemUser in AD. ?
    Let us know how you configured .?
    Thanks,
    SVS

  • Enabling SSO with Weblogic Server

    Hi,
    Can someone please forward some documention on enabling SSO with Weblogic server for different applications using the admin console.
    Is enabling SSO only possible programmatically??
    Is there an external server amongst the Weblogic Platform that maintains this SSO information??
    Regards,
    Mukta

    Pradeep,
    Here are some questions for you.
    1. what version of Weblogic App Server you are using?
    2. Is it a weblogic Portal or a Java application deployed
       on a Weblogic App Server?
    3. You have mentioned that the users are stored in a table. Is it a database table ?
    Anyway see the following link as a starting point?
    http://e-docs.bea.com/wls/docs81/jconnector/security.html#1216783
    If the customer has lot of other web applications that they want to integrate you can look at third party authentication solutions (Ex: Siteminder). But if it is a few or limited applications then custom solution would be more appropriate from the cost perspective.
    Hope this can be a starting point.
    -Regards
    -Venkat Malempati

  • Active Directory Authentication in Weblogic 8.1

    Hi,
    We want to do authentication from Microsoft Active Directory using weblogic 8.1.
    I have created a Active directory and
    configured weblogic from console to use it. But it is still not working. Your
    help with these question would be highly
    appreciated.
    1. Is there anyone in group who have tried this before. Please let me know how
    to proceed.
    2. Is there any tool by which I can get to know the different attribute asked
    for configuration in Weblogic?
    3. I am not able to login to my application after configuration. Is there any
    other way to come to know whether it is working
    or not?
    There could be plethora of reason but nothing which can come to my mind. Everything
    seems to be configured correctly. Here is
    portion of my config.xml related with authentication:
    <FileRealm Name="wl_default_file_realm"/>
    <PasswordPolicy Name="wl_default_password_policy"/>
    <Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
    <Security GuestDisabled="false" Name="vendavo-dev"
    PasswordPolicy="wl_default_password_policy"
    Realm="wl_default_realm" RealmSetup="true">
    <weblogic.security.providers.authentication.DefaultAuthenticator
    ControlFlag="SUFFICIENT"
    Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.authentication.DefaultIdentityAsserter
    ActiveTypes="AuthenticatedUser"
    Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.authorization.DefaultRoleMapper
    Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.authorization.DefaultAuthorizer
    Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.authorization.DefaultAdjudicator
    Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.credentials.DefaultCredentialMapper
    Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
    <weblogic.management.security.authentication.UserLockoutManager
    Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
    <weblogic.management.security.Realm
    Adjudicator="Security:Name=myrealmDefaultAdjudicator"
    AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
    =myrealmADAuthenticator"
    Authorizers="Security:Name=myrealmDefaultAuthorizer"
    CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
    DefaultRealm="true" DisplayName="myrealm"
    Name="Security:Name=myrealm"
    RoleMappers="Security:Name=myrealmDefaultRoleMapper"
    UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
    <weblogic.security.providers.pk.DefaultKeyStore
    Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
    ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
    DisplayName="ADAuthenticator" FollowReferrals="false"
    GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
    Name="Security:Name=myrealmADAuthenticator"
    Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
    </Security>
    First, of all is it possible to use Active Directory authentication in Weblogic
    without writing any custom code. If yes, how?
    Thanks in advance,
    Amit Tyagi

    Amit,
    We have successfully used WLS 8.1 sp1 with AD - but not without our share of ups
    and downs though.
    |
    |
    1) First, make sure you are sending right LDAP queries to AD. To verify this,
    we used free 3rd party LDAP browser from Softerra. There is also java based free
    browser from Univ of Michigan. Personally, I like Softerra's LDAP browser better.
    Play with your LDAP settings using this and make sure AD is returning the right
    data.
    |
    2) AD has some default settings that makes it return only the top 1000 users.
    Use ntdsutil.exe to modify these default settings
    |
    3) AD needs to have the right set of users and groups. To configure this, refer
    to WLS docs. This is very well documented in WLS docs. Also refer to this article
    http://dev2dev.bea.com/products/wlportal/whitepapers/wlp70_MSADS.jsp as additional
    reference
    |
    4) Also, there are some bugs with 8.1 portal sp1 and AD. It cannot take more than
    one Authentication provider. sp2 is supposed to have fixed it. For sp1 we used
    another product AD/AM (AD in Application Mode) in combination with MIIS server.
    But if you are using sp2, you shouldn't be worry about this.
    |
    5) In your providers, you might want to get rid of the DefaultAuthentication provider,
    once you are able to establish a connection with your ActiveDirectoryAuthentication
    provider. The DefaultAuthentication provider causes some problems and does not
    let ActiveDirectoryAuthentication provider to behave properly. We haven't fully
    investgated the root of this prob. When we deleted DefaultAuthentication provider,
    everything worked normally - so we didn't really care that much :-)
    |
    6) Make sure you have your JAAS options set to OPTIONAL initially and make sure
    your are able to authenticate talk to your AD.
    |
    These are the ones I could think of. Hope this helps..
    Regards,
    Anant
    "Amit" <[email protected]> wrote:
    >
    Hi,
    We want to do authentication from Microsoft Active Directory using weblogic
    8.1.
    I have created a Active directory and
    configured weblogic from console to use it. But it is still not working.
    Your
    help with these question would be highly
    appreciated.
    1. Is there anyone in group who have tried this before. Please let me
    know how
    to proceed.
    2. Is there any tool by which I can get to know the different attribute
    asked
    for configuration in Weblogic?
    3. I am not able to login to my application after configuration. Is there
    any
    other way to come to know whether it is working
    or not?
    There could be plethora of reason but nothing which can come to my mind.
    Everything
    seems to be configured correctly. Here is
    portion of my config.xml related with authentication:
    <FileRealm Name="wl_default_file_realm"/>
    <PasswordPolicy Name="wl_default_password_policy"/>
    <Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
    <Security GuestDisabled="false" Name="vendavo-dev"
    PasswordPolicy="wl_default_password_policy"
    Realm="wl_default_realm" RealmSetup="true">
    <weblogic.security.providers.authentication.DefaultAuthenticator
    ControlFlag="SUFFICIENT"
    Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.authentication.DefaultIdentityAsserter
    ActiveTypes="AuthenticatedUser"
    Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.authorization.DefaultRoleMapper
    Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.authorization.DefaultAuthorizer
    Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.authorization.DefaultAdjudicator
    Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.credentials.DefaultCredentialMapper
    Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
    <weblogic.management.security.authentication.UserLockoutManager
    Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
    <weblogic.management.security.Realm
    Adjudicator="Security:Name=myrealmDefaultAdjudicator"
    AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
    =myrealmADAuthenticator"
    Authorizers="Security:Name=myrealmDefaultAuthorizer"
    CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
    DefaultRealm="true" DisplayName="myrealm"
    Name="Security:Name=myrealm"
    RoleMappers="Security:Name=myrealmDefaultRoleMapper"
    UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
    <weblogic.security.providers.pk.DefaultKeyStore
    Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
    <weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
    ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
    DisplayName="ADAuthenticator" FollowReferrals="false"
    GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
    Name="Security:Name=myrealmADAuthenticator"
    Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
    </Security>
    First, of all is it possible to use Active Directory authentication in
    Weblogic
    without writing any custom code. If yes, how?
    Thanks in advance,
    Amit Tyagi

Maybe you are looking for

  • Dynamic Drop Down creation using simple data types

    Hi all, I have got a requirement in which i have to create an iView which is going to have 6 drop down values and with in that 1 value is going to have sub values which needs to get displayed in the similar drop down fashion. I have created a simple

  • Weblogic.appc (weblogic 9.1) giving error while using with jdk 1.6

    hi, I am trying to build my ear using jdk1.6 with weblogic 9.1. I am getting this error while doing weblogic.appc using my ant scripts. Could some one pls let me know the solution for this problem. [java] Created working directory: c:\windows\TEMP\ap

  • [SOLVED] gem installs packages only to home directory

    Hello! I need help. I have installed ruby and I'm trying to install it packages. But I have a problem. All gems I try to install have placed in HOME/.gem directory. Myself home, if I install from my account, or root home, if I use sudo. gem help inst

  • Looking for a device to control the incoming audio

    Hello together, I use my MacBook Pro as a visual artist, who does audio-reactive stuff. I usually hook up to the DJ mixer, who provides me with a stereo cinch signal. But every DJ mixer has a different signal level. And often the DJ gets drunk & turn

  • Bug fix for missing files error msg

    from what i can tell there is still no bug fix for this issue that way too many people are getting. why has nobody from Apple posted on this board discussing their plans for this issue? why is this issue not noted on the tech support home page? my be